Tài liệu The Art of Computer Virus Research and Defense pptx

Code: The Theory andDefinition of Computer Viruses References Chapter 2.. Advanced Code Evolution Techniques and Computer Virus Generator Kits... THE ART OF COMPUTER VIRUS RESEARCH AND

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE

Code: The Theory and

Definition of Computer Viruses References

Chapter 2 The Fascination of Malicious Code Analysis

2.1 Common Patterns of Virus

Research

2.2 Antivirus Defense

Development

2.3 Terminology of Malicious Programs

Chapter 3 Malicious Code

Environments

3.1 Computer Architecture

3.8 Vulnerability Dependency 3.9 Date and Time

Dependency

3.10 JIT Dependency:

Microsoft NET Viruses

3.16 Host Size Dependency 3.17 Debugger Dependency 3.18 Compiler and Linker

Dependency

3.19 Device Translator Layer Dependency

3.20 Embedded Object

Insertion Dependency

3.21 Self-Contained

Environment Dependency 3.22 Multipartite Viruses 3.23 Conclusion

References

Chapter 4 Classification of Infection Strategies

4.1 Boot Viruses

4.2 File Infection Techniques 4.3 An In-Depth Look at

5.7 Viruses in Kernel Mode (Windows NT/2000/XP)

5.8 In-Memory Injectors over Networks

Chapter 7 Advanced Code

Evolution Techniques and

Computer Virus Generator Kits

7.1 Introduction

7.2 Evolution of Code

7.3 Encrypted Viruses

7.4 Oligomorphic Viruses 7.5 Polymorphic Viruses 7.6 Metamorphic Viruses 7.7 Virus Construction Kits References

Chapter 8 Classification

According to Payload

8.1 No-Payload

8.2 Accidentally Destructive Payload

8.3 Nondestructive Payload

8.4 Somewhat Destructive

Payload

8.5 Highly Destructive Payload 8.6 DoS (Denial of Service) Attacks

8.7 Data Stealers: Making

Money with Viruses

9.3 Target Locator

9.4 Infection Propagators 9.5 Common Worm Code Transfer and Execution

Vulnerabilities, and Buffer

Overflow Attacks

10.1 Introduction

10.2 Background

10.3 Types of Vulnerabilities 10.4 Current and Previous

11.2 Second-Generation

Scanners

11.3 Algorithmic Scanning Methods

11.4 Code Emulation

11.5 Metamorphic Virus

Detection Examples

11.6 Heuristic Analysis of Bit Windows Viruses

32-11.7 Heuristic Analysis Using Neural Networks

11.8 Regular and Generic Disinfection Methods

11.9 Inoculation

11.10 Access Control Systems 11.11 Integrity Checking

12.5 Memory Scanning and Paging

12.6 Memory Disinfection 12.7 Memory Scanning in Kernel Mode

12.8 Possible Attacks Against Memory Scanning

12.9 Conclusion and Future Work

References

Chapter 13 Worm-Blocking Techniques and Host-Based Intrusion Prevention

13.1 Introduction

14.1 Introduction

14.2 Using Router Access Lists 14.3 Firewall Protection

14.4 Network-Intrusion

15.3 Dedicated Virus Analysis

on VMWARE

15.4 The Process of Computer Virus Analysis

15.5 Maintaining a Malicious Code Collection

15.6 Automated Analysis: The Digital Immune System

index_B index_C index_D index_E index_F index_G index_H index_I index_J index_K index_L index_M index_N index_O

index_P index_Q index_R index_S index_T index_U index_V index_W index_X index_Y index_Z

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE

By Peter Szor

Publisher: Addison Wesley Professional

Pub Date : February 03, 2005

ISBN: 0-321-30454-3

Pages: 744

Symantec's chief antivirus researcher has written the definitive

contemporary virus threats, defense techniques, and

books on computer viruses, The Art of Computer Virus Research and Defense

is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware

systematically covers everything you need to know,

Szor also offers the most thorough and practical primer on virus published​addressing everything from creating

automating the analysis process This book's coverage includes Discovering how malicious code attacks on a variety of Classifying malware strategies for infection, in-memory protection, payload delivery, exploitation, and

Identifying and responding to code obfuscation threats:

polymorphic, and metamorphic Mastering empirical methods for analyzing malicious with what you learn

Reverse-engineering malicious code with disassemblers,

emulators, and virtual machines

Implementing technical defenses: scanning, code emulation, inoculation, integrity checking, sandboxing,

and much more

Using worm blocking, host-based intrusion prevention, and defense strategies

Publisher: Addison Wesley Professional

Pub Date : February 03, 2005

What I Cover

What I Do Not Cover

Acknowledgments

Contact Information

Part I STRATEGIES OF THE ATTACKER

Chapter 1 Introduction to the Games of

Section 2.4 Other Categories

Section 2.5 Computer Malware Naming

Scheme

Section 2.6 Annotated List of Officially

Recognized Platform Names

References

Chapter 3 Malicious Code Environments

Section 3.1 Computer Architecture

Dependency

Section 3.2 CPU Dependency

Section 3.3 Operating System

Dependency

Section 3.4 Operating System Version

Dependency

Section 3.5 File System Dependency

Section 3.6 File Format Dependency

Section 3.7 Interpreted Environment

Dependency

Section 3.8 Vulnerability Dependency

Section 3.9 Date and Time Dependency

Section 3.10 JIT Dependency: Microsoft

Section 3.14 Source Code Dependency

Section 3.15 Resource Dependency on

Mac and Palm Platforms

Section 3.16 Host Size Dependency

Section 3.17 Debugger Dependency

Section 3.18 Compiler and Linker

Section 3.23 Conclusion

References

Chapter 4 Classification of Infection

Strategies

Section 4.1 Boot Viruses

Section 4.2 File Infection Techniques

Section 4.3 An In-Depth Look at Win32

Section 5.1 Direct-Action Viruses

Section 5.2 Memory-Resident Viruses

Section 5.3 Temporary

Memory-Resident Viruses

Section 5.4 Swapping Viruses

Section 5.5 Viruses in Processes (in

User Mode)

Section 5.6 Viruses in Kernel Mode

(Windows 9x/Me)

Section 5.7 Viruses in Kernel Mode

(Windows NT/2000/XP)

Section 5.8 In-Memory Injectors over

Networks

References

Chapter 6 Basic Self-Protection Strategies

Section 6.1 Tunneling Viruses

Section 6.2 Armored Viruses

Section 6.3 Aggressive Retroviruses

References

Chapter 7 Advanced Code Evolution Techniques and Computer Virus Generator Kits

Section 7.1 Introduction

Section 7.2 Evolution of Code

Section 7.3 Encrypted Viruses

Section 7.4 Oligomorphic Viruses

Section 7.5 Polymorphic Viruses

Section 7.6 Metamorphic Viruses

Section 7.7 Virus Construction Kits

References

Chapter 8 Classification According to

Payload

Section 8.1 No-Payload

Section 8.2 Accidentally Destructive

Payload

Section 8.3 Nondestructive Payload

Section 8.4 Somewhat Destructive

Payload

Section 8.5 Highly Destructive Payload

Section 8.6 DoS (Denial of Service)

Attacks

Section 8.7 Data Stealers: Making

Money with Viruses

Section 9.3 Target Locator

Section 9.4 Infection Propagators

Section 9.5 Common Worm Code

Transfer and Execution Techniques

Section 9.6 Update Strategies of

Computer Worms

Section 9.7 Remote Control via Signaling

Section 9.8 Intentional and Accidental

Interactions

Section 9.9 Wireless Mobile Worms

References

Chapter 10 Exploits, Vulnerabilities, and

Buffer Overflow Attacks

Section 10.1 Introduction

Section 10.2 Background

Section 10.3 Types of Vulnerabilities

Section 10.4 Current and Previous

Threats

Section 10.5 Summary

References

Part II STRATEGIES OF THE DEFENDER

Chapter 11 Antivirus Defense Techniques

Section 11.1 First-Generation Scanners

Section 11.2 Second-Generation

Scanners

Section 11.3 Algorithmic Scanning

Methods

Section 11.4 Code Emulation

Section 11.5 Metamorphic Virus

Section 11.10 Access Control Systems

Section 11.11 Integrity Checking

Section 11.12 Behavior Blocking

Section 12.1 Introduction

Section 12.2 The Windows NT Virtual

Memory System

Section 12.3 Virtual Address Spaces

Section 12.4 Memory Scanning in User

Mode

Section 12.5 Memory Scanning and

Paging

Section 12.6 Memory Disinfection

Section 12.7 Memory Scanning in Kernel

Overflow Attacks

Section 13.3 Worm-Blocking Techniques

Section 13.4 Possible Future Worm

Section 14.2 Using Router Access Lists

Section 14.3 Firewall Protection

Section 14.4 Network-Intrusion

Detection Systems

Section 14.5 Honeypot Systems

Section 14.6 Counterattacks

Section 14.7 Early Warning Systems

Section 14.8 Worm Behavior Patterns on

Section 15.6 Automated Analysis: The

Digital Immune System

References

Chapter 16 Conclusion

Further Reading

Index

Many of the designations used by

manufacturers and sellers to distinguishtheir products are claimed as trademarks.Where those designations appear in thisbook, and the publisher was aware of atrademark claim, the designations havebeen printed with initial capital letters or

in all capitals

The author and publisher have taken care

in the preparation of this book, but make

no expressed or implied warranty of anykind and assume no responsibility forerrors or omissions No liability is

assumed for incidental or consequentialdamages in connection with or arising out

of the use of the information or programscontained herein.

Symantec Press Publisher: LindaMcCarthy

Editor in Chief: Karen Gettman

Acquisitions Editor: Jessica

Goldstein

Cover Designer: Alan ClementsManaging Editor: Gina KanouseSenior Project Editor: Kristy HartCopy Editor: Christal Andry

Indexers: Cheryl Lenser and LarrySweazy

Compositor: Stickman Studio

Manufacturing Buyer: Dan Uhrig

The publisher offers excellent discounts

on this book when ordered in quantity forbulk purchases or special sales, whichmay include electronic versions and/orcustom covers and content particular toyour business, training goals, marketingfocus, and branding interests For moreinformation, please contact:

U S Corporate and Government Sales(800) 382-3419

Copyright © 2005 Symantec Corporation

All rights reserved Printed in the UnitedStates of America This publication isprotected by copyright, and permissionmust be obtained from the publisher prior

to any prohibited reproduction, storage in

a retrieval system, or transmission in anyform or by any means, electronic,

mechanical, photocopying, recording, orlikewise For information regardingpermissions, write to:

Pearson Education, Inc

Rights and Contracts Department

One Lake Street

Upper Saddle River, NJ 07458

Text printed in the United States on

recycled paper at Phoenix BookTech inHagerstown, Maryland

First printing, February, 2005

to Natalia

About the Author

Peter Szor is a world renowned computervirus and security researcher He has beenactively conducting research on computerviruses for more than 15 years, and hefocused on the subject of computer virusesand virus protection in his diploma work

in 1991 Over the years, Peter has beenfortunate to work with the best-knownantivirus products, such as AVP, F-PROT,and Symantec Norton AntiVirus

Originally, he built his own antivirusprogram, Pasteur, from 1990 to 1995, inHungary Parallel to his interest in

computer antivirus development, Peteralso has years of experience in fault-

tolerant and secured financial transactionsystems development.

He was invited to join the ComputerAntivirus Researchers Organization

(CARO) in 1997 Peter is on the advisory

board of Virus Bulletin Magazine and a

founding member of the AntiVirus

Emergency Discussion (AVED) network

He has been with Symantec for over fiveyears as a chief researcher in Santa

Bulletin, among others He is a frequent

speaker at conferences, including VirusBulletin, EICAR, ICSA, and RSA and hasgiven invited talks at such security

conferences as the USENIX Security

Symposium Peter is passionate aboutsharing his research results and educatingothers about computer viruses and securityissues

Who Should Read This Book

Over the last two decades, several

publications appeared on the subject ofcomputer viruses, but only a few havebeen written by professionals ("insiders")

of computer virus research Althoughmany books exist that discuss the

computer virus problem, they usuallytarget a novice audience and are simplynot too interesting for the technical

professionals There are only a few worksthat have no worries going into the

technical details, necessary to understand,

to effectively defend against computerviruses

Part of the problem is that existing books

have little​if any​information about thecurrent complexity of computer viruses.For example, they lack serious technicalinformation on fast-spreading computerworms that exploit vulnerabilities toinvade target systems, or they do notdiscuss recent code evolution techniquessuch as code metamorphism If you

wanted to get all the information I have inthis book, you would need to spend a lot

of time reading articles and papers thatare often hidden somewhere deep insidecomputer virus and security conferenceproceedings, and perhaps you would need

to dig into malicious code for years toextract the relevant details

I believe that this book is most useful for

IT and security professionals who fightagainst computer viruses on a daily basis.Nowadays, system administrators as well

as individual home users often need todeal with computer worms and other

malicious programs on their networks.Unfortunately, security courses have verylittle training on computer virus

protection, and the general public knowsvery little about how to analyze and

defend their network from such attacks Tomake things more difficult, computer virusanalysis techniques have not been

discussed in any existing works in

sufficient length before

I also think that, for anybody interested ininformation security, being aware of what

the computer virus writers have

"achieved" so far is an important thing toknow

For years, computer virus researchersused to be "file" or "infected object"oriented To the contrary, security

professionals were excited about

suspicious events only on the networklevel In addition, threats such as

CodeRed worm appeared to inject theircode into the memory of vulnerable

processes over the network, but did not

"infect" objects on the disk Today, it isimportant to understand all of these majorperspectives​the file (storage), in-memory,and network views​and correlate the

events using malicious code analysis

During the years, I have trained manycomputer virus and security analysts toeffectively analyze and respond to

malicious code threats In this book, Ihave included information about anythingthat I ever had to deal with For example, Ihave relevant examples of ancient threats,such as 8-bit viruses on the Commodore

64 You will see that techniques such asstealth technology appeared in the earliestcomputer viruses, and on a variety ofplatforms Thus, you will be able to

realize that current rootkits do not

represent anything new! You will findsufficient coverage on 32-bit Windowsworm threats with in-depth exploit